Claude Code Plugins

Community-maintained marketplace

Feedback

moai-security-api

@jg-chalk-io/Nora-LiveKit
0
0

API security patterns - authentication, authorization, rate limiting, OWASP

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name moai-security-api
version 4.0.0
updated Thu Nov 20 2025 00:00:00 GMT+0000 (Coordinated Universal Time)
status stable
description API security patterns - authentication, authorization, rate limiting, OWASP
allowed-tools Read, Bash, WebSearch, WebFetch

API Security Expert

Secure API Design & Implementation

Focus: Authentication, Authorization, Rate Limiting, OWASP API Top 10
Stack: OAuth 2.0, JWT, API Keys, CORS

Overview

Comprehensive patterns for securing RESTful and GraphQL APIs.

Core Security Layers

  1. Authentication: Who are you? (OAuth, JWT, API keys)
  2. Authorization: What can you do? (RBAC, ABAC)
  3. Rate Limiting: Prevent abuse (token bucket, sliding window)
  4. Input Validation: Prevent injection attacks

Quick Start

1. JWT Authentication

Issue and verify JWT tokens for API access.

Key Concepts:

  • Token structure: Header.Payload.Signature
  • Short-lived tokens (<1 hour)
  • Refresh token rotation

See: examples.md for implementation

2. Role-Based Access Control (RBAC)

Enforce permissions based on user roles.

Pattern: Decorator/middleware checks user role before allowing access.

See: examples.md for code

3. Rate Limiting

Prevent API abuse with token bucket algorithm.

Common Limits:

  • Public endpoints: 100 req/min
  • Authenticated: 1000 req/min
  • Admin: Unlimited

See: examples.md for implementation

4. CORS Configuration

Restrict cross-origin requests to trusted domains.

Critical: Never use allow_origins=["*"] in production.

See: examples.md for configuration

OWASP API Security Top 10 (2023)

# Vulnerability Mitigation
1 Broken Object Level Authorization Validate user owns resource
2 Broken Authentication OAuth 2.0, MFA
3 Broken Object Property Level Authorization Don't expose internal fields
4 Unrestricted Resource Consumption Rate limiting, pagination
5 Broken Function Level Authorization Verify permissions per endpoint
6 Unrestricted Access to Sensitive Business Flows CAPTCHA, anomaly detection
7 Server Side Request Forgery (SSRF) Validate URLs, block private IPs
8 Security Misconfiguration Disable debug, remove defaults
9 Improper Inventory Management Document endpoints, versioning
10 Unsafe Consumption of APIs Validate third-party responses

See: reference.md for detailed mitigations

Best Practices

  1. HTTPS Only: Enforce TLS 1.3+
  2. Short-Lived Tokens: JWT expiry <1 hour
  3. API Versioning: /v1/users, /v2/users
  4. Logging: Log auth failures, suspicious patterns
  5. Error Messages: Don't leak system details

Validation Checklist

  • Auth: JWT/OAuth implemented?
  • AuthZ: RBAC/ABAC enforced?
  • Rate Limiting: Configured per endpoint?
  • CORS: Restricted to trusted origins?
  • HTTPS: TLS 1.3+ enforced?
  • Input: Pydantic/Zod validation used?

Related Skills

  • moai-security-auth: Authentication patterns
  • moai-security-devsecops: Security testing
  • moai-domain-backend: API design

Additional Resources

Last Updated: 2025-11-20